Cloud Computing | Microsoft Trustworthy Computing Blog

Cloud Computing Security News and Guidance for Businesses and Organizations

May, 2013

  • Threat Trends: Tim Rains discusses Asia Threat Landscape with Rico Hizon - BBC World News

    Posted by Jeff Jones, director, Trustworthy Computing

    If you are looking for threat intelligence from Microsoft, you are likely aware of the Microsoft Security Intelligence Report which contains data and analysis from over a billion systems worldwide.  In April, we launched volume 14 of the Microsoft Security Intelligence Report which included a trip in Asia to discuss regional threat trends.  While in Singapore, Tim Rains sat down with Rico Hizon from BBC World News to discuss the threat landscape in the region.  You can watch the full episode here.

    Regional threat trends are important in helping customers who do business or reside in those markets a way to better understand how to manage risk.  Tim has previously blogged about regional threat trends and provided specific actions that can be taken to help protect against threats faced in the region. In the BBC interview, you can see Tim dive deeper into the regional threat trends for Asia and discuss how customers in those markets can manage risk. For more information on the global or regional threat trends, check out our latest Microsoft Security Intelligence Report.

  • Evaluating Security Needs for Private Cloud

    Posted by  Adrienne Hall, general manager, Trustworthy Computing
    As I meet with customers, some ask: public or private cloud – which has more security risk? Actually, there are different sets of risks depending on the organization and their compliance needs.

    A private cloud is a pool of computing resources controlled by a particular enterprise.  Private clouds deliver a standardized set of services that are specified and architected, for the organization. The path to a private cloud is often driven by the need to maintain control of the delivery environment because of application maturity, performance and/or regulatory requirements, and business differentiation.

    The opportunities offered by cloud computing requires a thorough assessment of benefits and risks. 

    Here are a few reasons why you might prefer a private cloud:

    - A regulatory or security concern prevents you from allowing even encrypted data to reside in a public cloud.

    - An in-house, customized application requires greater reliability or speed, potentially optimized through your own network rather than relying on the Internet.

    - You want control over your assets, including physical possession of the hardware on which your data resides.

    A Microsoft private cloud solution creates a layer of abstraction over pooled IT resources.  Private clouds offer the scalability and pooled resources of cloud computing based on the organization’s terms, within dedicated resources in their own datacenter or perhaps in a service provider’s datacenter.

  • The time is now. Security Development Must be a Priority for Everyone

    By Steve Lipner, partner director of Software Security, Trustworthy Computing Security, Microsoft

    Today marks the first day of the Security Development Conference 2013.  Security professionals from companies, government agencies and academic institutions have traveled from all over the world to learn, network and share proven security development practices that can reduce an organization’s risk. As I sit here waiting for Scott Charney to take the stage, I am reminded that it’s been almost a decade since Microsoft implemented its Security Development Lifecycle (SDL).  So much has changed in that time.  

    In the past decade, Internet usage has gone from roughly 350 million people online to more than 2.4 billion. Today there are more opportunities than ever before for developers.  Windows 8 is still relatively new, the cloud is in its early stages of adoption and there has been an explosion in new mobile devices and platforms. While the Internet has created many new opportunities and ways to do business, it has also spawned a digital underground for online crime. Security breaches that have financial consequences or lead to intellectual property loss, website defacement or espionage have become a reality in today’s computing landscape.

    Many of the developers I talk with generally recognize the importance of security development. Despite this, the evidence suggests that the vast majority of organizations still have not adopted security development as a fundamental professional discipline. Microsoft recently surveyed over 2200 IT professionals and 490 developers worldwide.  The survey found that only 37 percent of IT Professionals cited their organizations as building their products and services with security in mind.  Furthermore, 61 percent of developers were not taking advantage of mitigation technologies that already exist such as ASLR, SEHOP and DEP. These mitigations have been freely available to the industry for years and are often simple additions to existing development practices–and yet only a minority of developers are leveraging them.  This is concerning to me and it should be concerning to everyone who uses the Internet.

  • Improve the reliability of your service with resilience modeling & analysis

    Posted by David Bills, chief reliability strategist, Trustworthy Computing

    I’ve written before on the complexity of the cloud, including the notion that things will go wrong and the importance of planning ahead to minimize impact to customers when things do go wrong. Today Microsoft released a new whitepaper titled, “Resilience by design for cloud services”, which provides a methodology for resilience modeling, along with detailed guidance and example templates for cloud services teams to use.  The goal is to make implementation easy and consistent.

    The paper describes resilience modeling and analysis (RMA), which is based on an industry-standard technique called failure mode and effects analysis (FMEA), but  we’ve adapted it to more effectively prioritize work in the areas of detection, mitigation and recovery from failures – all of which are significant factors in reducing time to recover (TTR) for cloud services.

    There are four key phases of the RMA process:

    1. Pre-work. This is one of the most critical phases of the process and it’s important to remember that the quality of the artifacts produced during this phase will have a significant influence on the final output. This phase covers two separate activities. First, the team develops a complete logical diagram, (or schematic), for their service which depicts every component, data source and data flow visually. Second, the team uses the logical diagram to identify all of the components susceptible to failure, (a.k.a. failure points). The team makes sure they understand the interactions, or connections, between these components and how each component in the ecosystem works.
    2. Discover. In this step the team identifies all potential failure modes for each component including the underlying service infrastructure elements and the various dependencies between those elements. The goal is to capture where the system can fail, (points), and how it can fail, (modes).  We help guide this conversation with a pre-populated failure category checklist.
    3. Rate. In this phase, the team analyzes and records the effects that could result from each of the failures identified during the Discover phase. The RMA workbook contains a series of drop-down selections which help determine the effect and likelihood of a particular failure. These columns include the effect of the failure; the portion of users affected by the failure; the time it takes to detect the failure; the time it takes to recover from the failure and the likelihood of the failure occurring. This phase produces a list of calculated risk values for every failure type, and allows the team to prioritize their engineering investments based on those risk values.
    4. Act. The final phase is to take action on the items captured in the RMA worksheet and make the necessary investments to improve the reliability of the service. The ranking of failures captured during the Rate phase will allow teams to target their efforts toward the improvements which will have the biggest impact.

    If you are designing and deploying cloud services at scale, I encourage you to download this paper to read more about resilience modeling and analysis (RMA) and consider how implementing this process may help to improve the reliability of your online services.

  • Cloud Computing Trends Report: Understanding IT Maturity Practices

    By Adrienne Hall, general manager, Trustworthy Computing

    Many organizations considering cloud adoption can benefit from timely trends research and simple, well-organized information about their current IT state to better assess the benefits of adopting a particular cloud service.

    Today Microsoft released the new Trends in cloud computing report, which analyzes the results of current IT maturity and adoption practices of organizations worldwide that have used the free Cloud Security Readiness Tool (CSRT). The data consists of answers provided by people who used the CSRT over a six-month period between October 2012 and March 2013. This trends report helps organizations understand and evaluate IT security areas that are strengths and weaknesses. For example, areas of strength for those who utilized the tool are information security (through deployment of antivirus /antimalware software), security architecture, and facility security. Areas of weakness are human resources security, operations security, information security (through consistent incident reporting), legal protection and operations management.

  • Problem management for reliable online services

    Posted by David Bills, chief reliability strategist, Trustworthy Computing

    I think most cloud providers recognize how important it is for them to be able to detect, diagnose, and resolve problems that threaten to reduce the availability and reliability of the services they offer. However, due to the plethora of components and dependencies involved in a typical cloud service, rapid detection, diagnosis and resolution of issues can be rather hard to achieve.  Different root causes may manifest themselves as similar symptoms – this means it can be difficult to know for certain whether or not you have resolved an issue permanently.

    For example, slow response times could be traced back to queries that haven’t been optimized or to fully-utilized network links slowing the transfer of data or to machines swapping from memory to disk and back.  How you go about solving for each of these root causes is radically different, despite the same symptom – sluggish response!

    Many organizations focus their attention on incident management, but in my experience, it’s the organizations that employ a robust problem management process that achieve greater reliability, agility and efficiency when managing their cloud services.

    Today Microsoft released a new whitepaper titled, “Problem management for reliable online services”. The paper describes problem management and the benefits organizations derive from implementing a robust problem management framework. It compares incident management to problem management, and describes the fundamental concepts of effective problem management and outlines the problem management processes organizations can use to help improve the reliability of their online services. The paper also includes two real-world examples of approaches to problem management used by Bing and Microsoft IT.

  • Professional Security Magazine Recognizes Microsoft Security Leadership

    By Jeff Jones, director, Trustworthy Computing

    Today in Birmingham, England, Adrienne Hall, general manager of Trustworthy Computing, received one of three Professional Security Magazine’s Women in Security awards for her leadership and significant contributions to the security industry and to women within the field. 

    Adrienne regularly meets with security industry leaders in business, academia, government and law enforcement to share ideas, strategies, and discuss timely security resources that advance industry learning and collaboration. She is often a keynote speaker at and frequently tailors presentations to include Cloud Computing. In particular, the ways in which Cloud vendors need to demonstrate the security, privacy and reliability of their Cloud solutions.

    Adrienne is also recognized within the security industry for her leadership on the Microsoft Security Intelligence Report (SIR), which analyzes the threat landscape of exploits, vulnerabilities, and malware using data based on telemetry from over a billion systems worldwide. Threat awareness via data, insights, and guidance provided in the SIR can be useful in helping security leaders protect their organizations, software, and users.  In addition, hundreds of thousands of people each month leverage the information contained in Security Bulletins from Microsoft, a consistent source of information published by Adrienne’s group in partnership with Microsoft’s Security Response Center. 

    The goal of these various investments and partnerships is to improve the state of information security; one that she acknowledges is more a journey than a destination in today’s evolving threat landscape. 

  • Want a New Job? Online Reputation Matters

    Posted by Jacqueline Beauchere, Chief Online Safety Officer, Microsoft

    Almost 46 percent of Internet users are going online to find a job, according to recent data.  That total nearly doubles when it comes to hiring managers using the Internet to screen prospective candidates. 

    Increasingly, such statistics, coupled with conversations about online reputation – like the one at last week’s 2013 FOSI European Forum – continue to show that in today’s digital world, online information is just as important as an individual’s past employment history. 

    Held in Dublin and sponsored by The Family Online Safety Institute (FOSI), last week’s event brought together some 150 representatives from government, including Frances Fitzgerald, the Irish Minister for Children and Youth Affairs; industry leaders from companies such as Microsoft, Facebook, and Twitter the education sector, civil society, and the advocacy community to discuss, “The Year of the Digital Citizen:  Online Safety, Data Protection, and Privacy.”

    It was a question and comment from an audience member that sparked additional conversation, and  underscored for me and others the ongoing need to attentively safeguard one’s digital reputation.

  • Social Circles to Social Outcasts: Mobile Manners & Madness

    Posted by Kim Sanchez, director, TwC Online Safety Communications, Microsoft

    From loud talkers, to people who answer their cell phone while you’re in mid-sentence, there are a number of mobile phone pet peeves that are getting under people’s skin. Microsoft’s Safer Online Facebook poll asked our social media fans; What do they find most annoying about the way people use their mobile phone? Have their ever…and, who is safer? 
    Here’s what they told us; 

    Their “Top Five” most selected pet peeves include:
    • Constant phone checking (44 percent of the respondents included this in their top five)
    • Loud talkers (41 percent)
    • Using or not silencing the phone when appropriate, for instance in social settings (40 percent)
    • Using the phone during face-to-face conversations (39 percent)
    • Delaying traffic (35 percent)

    Have they ever…oh yes they did!  Respondents shared with us, a number of entertaining stories; like pocket dialing while singing along to the radio.  This may be simply irritating to some, but it’s a great example of how you may be doing more than just annoying your social circles, or becoming a social outcast. In fact, you could be putting your personal information at risk. 

    Our Microsoft Safer Online poll found that:
    • Nearly half of respondents (47percent) said they have lost their mobile phone,
    • Exactly half (50 percent) said they have pocket dialed someone, and
    • More than half (58 percent) have shared their location